How DHS is Creating the Future of Cybersecurity

With constant news about breaches detected and how government is managing the fallout from them, it seems like we are in a reactive state of cybersecurity today. Will that always be the case? If not, what does the future of government cybersecurity look like?

At our event, Evolving Tactics to Combat the Cyber Threat, Mark Kneidinger of the Federal Network Resilience Division at the Department of Homeland Security (DHS) described what tomorrow will look like in public sector cyberspace. He summarized it as achieving a “truly trusted internet environment” for users.

That environment has a number of ideal attributes, which Kneidinger detailed. A truly trusted government cyberspace would be:

Where there are security controls in place, and people have visibility into what those are

Where intrusion behavior and patterns are known and detected

Where all agencies know what’s on their networks in real-time speeds

Where we know who has access to what and why they have access to it

Where system dependencies are known and information is shared

Where cybersecurity is a responsibility shared by everyone

In order to facilitate this environment, DHS has established a number of initiatives that assist agencies in acquiring advanced cybersecurity capabilities. Kneidinger highlighted several of these during his presentation, including:

Trusted Internet Connections (TIC) Initiative –This program recognizes that as new devices and users are added to government networks, there are inevitable negative implications for the speed and access of data. Specifically, the agency is joining with FedRAMP to draft a TIC Overlay, which will “enable mobile users to directly connect to Federal cloud system without utilizing a TIC Access Provider (TICAP) or Managed Trusted IP Service (MTIPS).” That program will ensure that, as environments and devices are added to networks, agencies aren’t slowing down or impeding the flow of critical information.

National Cybersecurity and Communications Integration Center (NCCIC) – Described as “a 24×7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration,” NCCIC is working to identify shared best practices and cyberthreat information across sectors. That information will be used to create future cyber solutions. “We want to use that information to address future scenarios in a more automated fashion,” said Kneidinger.

US-CERT – Kneidinger said many people think of US-CERT as a reactive organization, because it analyzes past cyber incidents like the 2014-15 OPM breach. However, the organization is actually using that information to identify what could have been done in past scenarios to prevent intrusions. Then the agency wants to help other agencies learn how to avoid that scenario in the future. As of October 1, 2015, representatives have been assigned to every federal executive agency (even the small ones!) to make sure every government organization has access to the lessons learned and resources that US-CERT is created to buffer cybersecurity.

Critical Diagnostics and Mitigation (CDM) Program – Broken into three phases, the CDM program is designed to identify where there are gaps in critical agency security. As part of this identity program, agencies will receive dashboards to visualize what’s occurring within their infrastructure in real-time and prioritize security deficiencies via an included algorithm. Then, the program provides avenues like blanket purchasing agreements (BPAs) to help agencies acquire the tools and services needed to close the gaps.

Currently, the program is in phase 2, which deals specifically with accounts and privileged access management. Phase 2 is being accelerated as part of the federal 30-day cybersecurity sprint. It will be followed by Phase 3 within the next fiscal year, which will focus on event detection capabilities.

EINSTEIN – Also provided through US-CERT, EINSTEIN compliments the CDM program through intrusion detection. The program is in its third iteration. The first, called EINSTEIN 1 provided monitoring capabilities to agencies, allowing them to collect data on what flowed through their networks. EINSTEIN 2 provided detection capabilities to compliment that monitoring functionality. The most recent iteration, EINSTEIN 3 Accelerated (E3A), will handle the “blocking and prevention” of threats once they are detected.

To accelerate these initiatives, as well as to provide more focus to issues like cyber talent recruitment and two-point authentication, the executive branch also mandated a 30-day cybersecurity sprint earlier this year.

Together, it is Kneidinger’s hope that these initiatives will create the ideal future of cybersecurity. “We need to provide truly trusted access,” he concluded. These multi-focus projects, led by DHS, will help government do just that.